How to analyze Debug logs from GUP to determine which clients are taking definitions from GUP

Machine Translations

One of the most effective ways to determine if a client is taking definitions from the GUP is to analyze the debug logs taken from the GUP. When you enable debug logging on a client, debug.log is created in the SEP installation folder.

The plugin that takes care of GUP is called GUProxy. When you open the debug.log, you can look for GUProxy in the log.

You can locate the event sequence for clients requesting definitions from GUP. You will also notice that the clients will send separate requests for every URL they need to download. You can determine which clients are taking definitions from GUP. If you have a lot of clients taking definitions from a GUP, you can increase the size of the log file to accomodate the increased amount of information.

Assuming one machine is designated as an GUP, it is obvious that GUP takes the update from SEPM.

Scenario
=======
On my SEPM the liveupdate policy is defined as taking from "Management server" as well as "symantec live update server".

If the client fails to connect to the Managment server it can take live updates from the internet ie: symantec liveupdate server.

Now this policy is applied to GUP as well, as GUP is alos consider as client to SEPM (correct me if i am wrong). so if GUP fails to download content from management server, it should take the update from the internet.

My direct question is can GUP take updates from the internet if for some reason it cannot connect to the Managment server.

GUP can download definitions for the clients only from the SEPM. It can update itself from internet, but, it can not share those updates downloaded from the internet with the cients.

Here's what I understand about the procedure for the GUPs to take the definitions:

1. Client contacts SEPM to get the latest content. Receives the latest index file.
2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.
3. After receiving this request, SEPM will start preparing the delta definitions.
4. When SEPM completes the delta creation, it will make those deltas available in IIS [ Inetpub\content\ ] folder.
5. SEPM will send the URL for this delta to the client.
6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.
7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.
8. As the delta is available at GUP, client will receive from the GUP.

So, to answer your question, a GUP will have the definitions from SEPM, only when it receives a definition request from a client.

Which GUP to select, has been discussed in the earlier comments.

Let us know if you have any questions. This discussion is really getting interesting as we are discussing all the details about the GUP configuration.

I have been working with Symantec AV and SEP for a number of years and am responsible for troubleshooting all problems in my organization (15,000+ clients).

I recently had an issue with clients receiving updates from my GUP. I woukld like to offer further information on the process. I would like to note I am using location awareness.

It seems that the the client that is designated as a GUP has a separate commumication process with the management server in order to receive the updates that it will provide for its clients. And without getting too technical, after analyzing the 2 debug files I activated, this is what I found.

The GUP client portion is totally clueless that it is in fact a GUP, it will go through the same process of locating a GUP and/or management server just like every other client (non-GUP).

The GUP itself will communicate with the assigned GUP (itself) through the IP address for itself. Unaware that it is actually communicating with itself (the GUP).

Interesting is the fact that these two functions are totally independent. And when you first designate a client as a GUP, while reviewing the 2 debug files (1 for the GUP, 1 for the client), you will see the GUP initialize and create the approprite folders and request and download the updates from the mangement server.

Then you will see the GUP client request and download the updates from the GUP (the same client - itself).

The SEP client loads the GUP component, but they act independantly of each other. That is also why sometimes the GUP will distribute updated content, yet the SEP client on the same machine will be out of date.

Thanks for posting this so clearly

Please mark the post that best solves your problem as the answer to this thread.

I just enabled the the debug in sep -help and support-debuglogs-edit log and log caputred in C:\program files\symantec\symantec end point protetcion. I viewed the logs but its different and the logs which u attached is different can u explain how to find the same log in GUP server it will be very helpful for me thanks.